Update to latest released upstream version 2.2.0

.gitignore

@@ -82,3 +82,4 @@ sssd-1.2.91.tar.gz
 /sssd-1.16.2.tar.gz
 /sssd-2.0.0.tar.gz
 /sssd-2.1.0.tar.gz
+/sssd-2.2.0.tar.gz

0001-GPO-Add-option-ad_gpo_ignore_unreadable.patch

@@ -1,218 +0,0 @@
-From 2f27dd9f05c2d3ed1c190ba387bc97738988efb0 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
-Date: Wed, 17 Oct 2018 16:57:20 +0200
-Subject: [PATCH] GPO: Add option ad_gpo_ignore_unreadable
-
-Add option to ignore group policy containers in AD
-with unreadable or missing attributes. This is
-for the case when server contains GPOs that
-have very strict permissions on their attributes
-in AD but are unrelated to access control.
-
-Rather then using this option it is better to
-change the permissions on the AD objects but
-that may not be always possible (company policy,
-not access to server etc.).
-
-Resolves:
-https://pagure.io/SSSD/sssd/issue/3867
-CVE-2018-16838
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/config/cfg_rules.ini     |  1 +
- src/man/sssd-ad.5.xml        | 19 +++++++++++++
- src/providers/ad/ad_common.h |  1 +
- src/providers/ad/ad_gpo.c    | 67 +++++++++++++++++++++++++++++++++++++++++---
- src/providers/ad/ad_opts.c   |  1 +
- 5 files changed, 85 insertions(+), 4 deletions(-)
-
-diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
-index b3764bd..292aa4d 100644
---- a/src/config/cfg_rules.ini
-+++ b/src/config/cfg_rules.ini
-@@ -441,6 +441,7 @@ option = ad_enabled_domains
- option = ad_enable_gc
- option = ad_gpo_access_control
- option = ad_gpo_implicit_deny
-+option = ad_gpo_ignore_unreadable
- option = ad_gpo_cache_timeout
- option = ad_gpo_default_right
- option = ad_gpo_map_batch
-diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
-index ae3279d..5c51e80 100644
---- a/src/man/sssd-ad.5.xml
-+++ b/src/man/sssd-ad.5.xml
-@@ -437,6 +437,25 @@ DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,
-                     </listitem>
-                 </varlistentry>
- 
-+                <varlistentry>
-+                    <term>ad_gpo_ignore_unreadable (boolean)</term>
-+                    <listitem>
-+                        <para>
-+                            Normally when some group policy containers (AD
-+                            object) of applicable group policy objects are
-+                            not readable by SSSD then users are denied access.
-+                            This option allows to ignore group policy
-+                            containers and with them associated policies
-+                            if their attributes in group policy containers
-+                            are not readable for SSSD.
-+                        </para>
-+                        <para>
-+                            Default: False
-+                        </para>
-+                    </listitem>
-+                </varlistentry>
-+
-+
- 
-                 <varlistentry>
-                     <term>ad_gpo_cache_timeout (integer)</term>
-diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
-index 662276c..4eb4101 100644
---- a/src/providers/ad/ad_common.h
-+++ b/src/providers/ad/ad_common.h
-@@ -53,6 +53,7 @@ enum ad_basic_opt {
-     AD_ENABLE_GC,
-     AD_GPO_ACCESS_CONTROL,
-     AD_GPO_IMPLICIT_DENY,
-+    AD_GPO_IGNORE_UNREADABLE,
-     AD_GPO_CACHE_TIMEOUT,
-     AD_GPO_MAP_INTERACTIVE,
-     AD_GPO_MAP_REMOTE_INTERACTIVE,
-diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
-index 3b472e0..5f85910 100644
---- a/src/providers/ad/ad_gpo.c
-+++ b/src/providers/ad/ad_gpo.c
-@@ -3603,6 +3603,7 @@ struct ad_gpo_process_gpo_state {
-     struct ad_access_ctx *access_ctx;
-     struct tevent_context *ev;
-     struct sdap_id_op *sdap_op;
-+    struct dp_option *ad_options;
-     struct sdap_options *opts;
-     char *server_hostname;
-     struct sss_domain_info *host_domain;
-@@ -3647,6 +3648,7 @@ ad_gpo_process_gpo_send(TALLOC_CTX *mem_ctx,
- 
-     state->ev = ev;
-     state->sdap_op = sdap_op;
-+    state->ad_options = access_ctx->ad_options;
-     state->opts = opts;
-     state->server_hostname = server_hostname;
-     state->host_domain = host_domain;
-@@ -3872,6 +3874,54 @@ static bool machine_ext_names_is_blank(char *attr_value)
- }
- 
- static errno_t
-+ad_gpo_missing_or_unreadable_attr(struct ad_gpo_process_gpo_state *state,
-+                                  struct tevent_req *req)
-+{
-+    bool ignore_unreadable = dp_opt_get_bool(state->ad_options,
-+                                             AD_GPO_IGNORE_UNREADABLE);
-+
-+    if (ignore_unreadable) {
-+        /* If admins decided to skip GPOs with unreadable
-+         * attributes just log the SID of skipped GPO */
-+        DEBUG(SSSDBG_TRACE_FUNC,
-+              "Group Policy Container with DN [%s] has unreadable or missing "
-+              "attributes -> skipping this GPO "
-+              "(ad_gpo_ignore_unreadable = True)\n",
-+              state->candidate_gpos[state->gpo_index]->gpo_dn);
-+        state->gpo_index++;
-+        return ad_gpo_get_gpo_attrs_step(req);
-+    } else {
-+        /* Inform in logs and syslog that this GPO can
-+         * not be processed due to unreadable or missing
-+         * attributes and point to possible server side
-+         * and client side solutions. */
-+        DEBUG(SSSDBG_CRIT_FAILURE,
-+              "Group Policy Container with DN [%s] is unreadable or has "
-+              "unreadable or missing attributes. In order to fix this "
-+              "make sure that this AD object has following attributes "
-+              "readable: nTSecurityDescriptor, cn, gPCFileSysPath, "
-+              "gPCMachineExtensionNames, gPCFunctionalityVersion, flags. "
-+              "Alternatively if you do not have access to the server or can "
-+              "not change permissions on this object, you can use option "
-+              "ad_gpo_ignore_unreadable = True which will skip this GPO."
-+              "See 'man ad_gpo_ignore_unreadable for details.'\n",
-+              state->candidate_gpos[state->gpo_index]->gpo_dn);
-+        sss_log(SSSDBG_CRIT_FAILURE,
-+                "Group Policy Container with DN [%s] is unreadable or has "
-+                "unreadable or missing attributes. In order to fix this "
-+                "make sure that this AD object has following attributes "
-+                "readable: nTSecurityDescriptor, cn, gPCFileSysPath, "
-+                "gPCMachineExtensionNames, gPCFunctionalityVersion, flags. "
-+                "Alternatively if you do not have access to the server or can "
-+                "not change permissions on this object, you can use option "
-+                "ad_gpo_ignore_unreadable = True which will skip this GPO."
-+                "See 'man ad_gpo_ignore_unreadable for details.'\n",
-+                state->candidate_gpos[state->gpo_index]->gpo_dn);
-+        return EFAULT;
-+    }
-+}
-+
-+static errno_t
- ad_gpo_sd_process_attrs(struct tevent_req *req,
-                         char *smb_host,
-                         struct sysdb_attrs *result)
-@@ -3890,7 +3940,10 @@ ad_gpo_sd_process_attrs(struct tevent_req *req,
- 
-     /* retrieve AD_AT_CN */
-     ret = sysdb_attrs_get_string(result, AD_AT_CN, &gpo_guid);
--    if (ret != EOK) {
-+    if (ret == ENOENT) {
-+        ret = ad_gpo_missing_or_unreadable_attr(state, req);
-+        goto done;
-+    } else if (ret != EOK) {
-         DEBUG(SSSDBG_OP_FAILURE,
-               "sysdb_attrs_get_string failed: [%d](%s)\n",
-               ret, sss_strerror(ret));
-@@ -3911,7 +3964,10 @@ ad_gpo_sd_process_attrs(struct tevent_req *req,
-                                  AD_AT_FILE_SYS_PATH,
-                                  &raw_file_sys_path);
- 
--    if (ret != EOK) {
-+    if (ret == ENOENT) {
-+        ret = ad_gpo_missing_or_unreadable_attr(state, req);
-+        goto done;
-+    } else if (ret != EOK) {
-         DEBUG(SSSDBG_OP_FAILURE,
-               "sysdb_attrs_get_string failed: [%d](%s)\n",
-               ret, sss_strerror(ret));
-@@ -3959,7 +4015,10 @@ ad_gpo_sd_process_attrs(struct tevent_req *req,
-     /* retrieve AD_AT_FLAGS */
-     ret = sysdb_attrs_get_int32_t(result, AD_AT_FLAGS,
-                                   &gp_gpo->gpo_flags);
--    if (ret != EOK) {
-+    if (ret == ENOENT) {
-+        ret = ad_gpo_missing_or_unreadable_attr(state, req);
-+        goto done;
-+    } else if (ret != EOK) {
-         DEBUG(SSSDBG_OP_FAILURE,
-               "sysdb_attrs_get_int32_t failed: [%d](%s)\n",
-               ret, sss_strerror(ret));
-@@ -3977,7 +4036,7 @@ ad_gpo_sd_process_attrs(struct tevent_req *req,
-     if ((ret == ENOENT) || (el->num_values == 0)) {
-         DEBUG(SSSDBG_OP_FAILURE,
-               "nt_sec_desc attribute not found or has no value\n");
--        ret = ENOENT;
-+        ret = ad_gpo_missing_or_unreadable_attr(state, req);
-         goto done;
-     }
- 
-diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c
-index 9ca18c4..f2ca215 100644
---- a/src/providers/ad/ad_opts.c
-+++ b/src/providers/ad/ad_opts.c
-@@ -39,6 +39,7 @@ struct dp_option ad_basic_opts[] = {
-     { "ad_enable_gc", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
-     { "ad_gpo_access_control", DP_OPT_STRING, { AD_GPO_ACCESS_MODE_DEFAULT }, NULL_STRING },
-     { "ad_gpo_implicit_deny", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
-+    { "ad_gpo_ignore_unreadable", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
-     { "ad_gpo_cache_timeout", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER },
-     { "ad_gpo_map_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING },
-     { "ad_gpo_map_remote_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING },
--- 
-2.9.5
-

0502-SYSTEMD-Use-capabilities.patch

@@ -15,7 +15,7 @@ index 0c515d34caaa3ea397c4c7e95eef0188df170840..252889dbb2b7b1e651966258e7b76eab
 @@ -11,6 +11,7 @@ ExecStart=@sbindir@/sssd -i ${DEBUG_LOGGER}
  Type=notify
  NotifyAccess=main
- PIDFile=@localstatedir@/run/sssd.pid
+ PIDFile=@pidpath@/sssd.pid
 +CapabilityBoundingSet=CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_KILL CAP_NET_ADMIN CAP_SYS_NICE CAP_FOWNER CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_SYS_RESOURCE CAP_BLOCK_SUSPEND
  
  [Install]

sources

@@ -1 +1 @@
-SHA512 (sssd-2.1.0.tar.gz) = 12a7e5b89d462350af3c43e15b24a437dd985ac4a2e419d5e52cc0d05c6eacb9319d39b23681595ef860120cd1ae6e5fb265054afeddcb05d3d5f5de5d6ffa63
+SHA512 (sssd-2.2.0.tar.gz) = 9ebd8784e1f0c72cb808bbc153c0b0aa9bf507938f78336a260073a89b49350dc2c6172653509738ea7a50bb9da596725e1d6c92f99c7a03308aa42f6378dbbb

sssd.spec

@@ -35,15 +35,15 @@
 %endif
 
 Name: sssd
-Version: 2.1.0
-Release: 2%{?dist}
+Version: 2.2.0
+Release: 1%{?dist}
 Summary: System Security Services Daemon
 License: GPLv3+
 URL: https://pagure.io/SSSD/sssd/
 Source0: https://releases.pagure.org/SSSD/sssd/%{name}-%{version}.tar.gz
 
 ### Patches ###
-Patch0001: 0001-GPO-Add-option-ad_gpo_ignore_unreadable.patch
+#Patch0001: ...
 
 ### Downstream only patches ###
 Patch0502: 0502-SYSTEMD-Use-capabilities.patch
@@ -461,7 +461,7 @@ UIDs/GIDs to names and vice versa. It can be also used for mapping principal
 (user) name to IDs(UID or GID) or to obtain groups which user are member of.
 
 %package -n libsss_certmap
-Summary: SSSD Certficate Mapping Library
+Summary: SSSD Certificate Mapping Library
 License: LGPLv3+
 Conflicts: sssd-common < %{version}-%{release}
 
@@ -469,7 +469,7 @@ Conflicts: sssd-common < %{version}-%{release}
 Library to map certificates to users based on rules
 
 %package -n libsss_certmap-devel
-Summary: SSSD Certficate Mapping Library
+Summary: SSSD Certificate Mapping Library
 License: LGPLv3+
 Requires: libsss_certmap = %{version}-%{release}
 
@@ -1068,6 +1068,9 @@ fi
                                 %{_libdir}/%{name}/modules/libwbclient.so
 
 %changelog
+* Mon Jun 17 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-1
+- Update to latest released upstream version
+- https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_2_2_0.html
 
 * Wed Mar 27 2019 Michal Židek <mzidek@redhat.com> - 2.1.0-2
 - Resolves: upstream#3867 - [RFE] Need an option in SSSD so that it will skip